Deep Audit: Multi-Agent Standards & Compliance Framework
Execute this skill to audit work against standards and compliance requirements with formal pass/fail verdicts.
Execution Instructions
When invoked, you will:
- Resolve scope and context — invoke context skill (always), then preflight if confidence is low
- Populate audit scope from working_scope
- Spawn auditor agents in parallel for comprehensive checking
- Aggregate violations from all auditors
- Generate audit report with PASS/FAIL verdict
- Save report to
.outputs/audit/
Note: This is a formal audit with pass/fail verdict, not improvement suggestions.
Dependency Check
Before executing any step, verify all required skills are present:
[skills-root]/context/SKILL.md
[skills-root]/preflight/SKILL.md
[skills-root]/domain-registry/README.md
Where [skills-root] is the parent of this skill's directory. Resolve with ls ../ from this skill's location.
If any required file is missing → stop immediately and output:
⚠ Missing required skills for deep-audit:
{missing-skill}
Expected: {skills-root}/{missing-skill}/SKILL.md
Install the missing skill(s):
git clone https://github.com/mikeng-io/agent-skills /tmp/agent-skills
cp -r /tmp/agent-skills/skills/{missing-skill} {skills-root}/
Or install the full suite at once:
cp -r /tmp/agent-skills/skills/ {skills-root}/
All dependencies present → proceed to Step 0.
Step 0: Scope & Context Resolution
Context (always required):
Invoke Skill("context") first. It classifies the artifact, detects domains from domain-registry, and determines routing confidence:
context_report:
artifact_type: "" # code | financial | marketing | creative | research | mixed
domains: [] # matched domain names from domain-registry
routing: "" # parallel-workflow | debate-protocol | deep-council
confidence: "" # high | medium | low
Preflight (conditional — triggered by context confidence):
Invoke Skill("preflight") only if context_report.confidence == "low" OR one or more signals remain unresolved:
- Artifact is not clearly identified
- Standards or compliance requirements cannot be inferred
- Domains could not be detected
- Scope is too broad to audit meaningfully
Preflight fills exactly the gaps context could not resolve (max 3 questions, one at a time):
scope_clarification:
artifact: "" # what to audit
intent: "audit"
domains: [] # supplements context_report.domains
constraints: [] # explicit standards, compliance requirements, focus areas
confidence: "" # high | medium
If context_report.confidence == "high" → skip preflight entirely.
Merge into working scope:
working_scope:
artifact: "" # files, topics, or description of what to audit
domains: [] # from context_report (authoritative), supplemented by preflight
standards: [] # inferred from domains, artifact type, and any explicit constraints
compliance: [] # inferred from context + scope_clarification
context_summary: "" # combined description for auditor agent prompts
Use working_scope throughout this skill.
Step 1: Populate Audit Scope
Using working_scope from Step 0, populate the audit context:
audit_context:
files: [] # from working_scope.artifact
artifacts: [] # additional artifacts from working_scope
topics: [] # key topics from context_report
standards: [] # from working_scope.standards
compliance: [] # from working_scope.compliance
domain_inference: [] # from working_scope.domains
Infer audit requirements from working_scope:
- Explicit standards (e.g., "WCAG 2.1", "OWASP Top 10") → carry forward from constraints
- Compliance needs (e.g., "GDPR compliance", "SOC2") → from compliance field
- Domain context (e.g., "healthcare app" → HIPAA) → from domain-registry mapping
- File types (e.g.,
.tsx→ accessibility) → from artifact_type in context_report
Step 2: Spawn Auditor Agents in Parallel
Spawn auditor sub-agents in parallel using the Task tool.
Auditor Distribution
auditor_selection:
step_1_read_domain_registry:
- Read domain-registry/domains/technical.md
- Read domain-registry/domains/business.md
- Read domain-registry/domains/creative.md
step_2_match_signals:
- Match conversation signals against each domain's trigger_signals
- Select all matching domains (minimum 2)
step_3_map_to_auditors:
- Each selected domain → spawn corresponding expert_role as auditor
- Weight distribution: 30% to primary domain, remainder shared equally
fallback_if_technical_signals:
- Security Auditor (30%)
- Accessibility Auditor (25%)
- Code Standards Auditor (20%)
- Regulatory Auditor (15%)
- Performance Auditor (10%)
examples:
- marketing artifact → Brand Compliance Auditor + Legal Auditor + Audience Fit Auditor
- financial document → Financial Accuracy Auditor + Regulatory Auditor + Risk Auditor
- design system → Visual Standards Auditor + Accessibility Auditor + Brand Auditor
execution:
mode: parallel
max_concurrent: 5
capability: high
Agent Templates
Security Auditor
Weight: 30%
Purpose: Check security standards and vulnerabilities
Capability: high
You are a SECURITY AUDITOR. Your role is to check for security vulnerabilities and standards compliance.
## Your Mindset
"Does this meet security standards? Are there vulnerabilities?"
## Standards to Check
- OWASP Top 10
- CWE (Common Weakness Enumeration)
- Security best practices
- Authentication/authorization
- Input validation
- Data encryption
- Secrets management
## Context to Audit
{conversation_context}
## Your Scope
{scope_description}
## Output Format (JSON)
{
"agent": "security-auditor",
"verdict": "PASS | FAIL",
"violations": [
{
"severity": "CRITICAL | HIGH | MEDIUM | LOW",
"standard": "OWASP A03:2021 | CWE-79 | etc.",
"category": "Injection | XSS | Authentication | etc.",
"location": "File path and line number",
"violation": "Description of the violation",
"evidence": "Code snippet or reference",
"remediation": "How to fix",
"resources": ["Links to documentation"]
}
],
"passed_checks": [
"List of security checks that passed"
],
"overall_security_score": "0-100"
}
Accessibility Auditor
Weight: 25%
Purpose: Check accessibility standards compliance
Capability: high
You are an ACCESSIBILITY AUDITOR. Your role is to check for accessibility compliance.
## Your Mindset
"Is this accessible to all users? Does it meet WCAG standards?"
## Standards to Check
- WCAG 2.1 (Level A, AA, AAA)
- ARIA best practices
- Keyboard navigation
- Screen reader compatibility
- Color contrast
- Focus management
- Semantic HTML
## Context to Audit
{conversation_context}
## Output Format (JSON)
{
"agent": "accessibility-auditor",
"verdict": "PASS | FAIL",
"wcag_level": "A | AA | AAA",
"violations": [
{
"severity": "CRITICAL | HIGH | MEDIUM | LOW",
"standard": "WCAG 2.1.1 | WCAG 1.4.3 | etc.",
"category": "Perceivable | Operable | Understandable | Robust",
"location": "File path and line number",
"violation": "Description of the violation",
"impact": "Who is affected (screen reader users, keyboard users, etc.)",
"remediation": "How to fix",
"resources": ["Links to WCAG documentation"]
}
],
"passed_checks": [
"List of accessibility checks that passed"
],
"overall_accessibility_score": "0-100"
}
Code Standards Auditor
Weight: 20%
Purpose: Check code style and standards compliance
Capability: high
You are a CODE STANDARDS AUDITOR. Your role is to check for code style and standards compliance.
## Your Mindset
"Does this follow the project's coding standards?"
## Standards to Check
- Applicable language-specific coding standards
- Applicable linting rules and tools for the detected language
- Formatting and style rules for the detected language
- Naming conventions
- File organization
- Documentation requirements
- Test coverage thresholds
## Context to Audit
{conversation_context}
## Output Format (JSON)
{
"agent": "code-standards-auditor",
"verdict": "PASS | FAIL",
"violations": [
{
"severity": "HIGH | MEDIUM | LOW",
"standard": "applicable coding standard | linting rule | etc.",
"category": "Style | Formatting | Naming | Documentation",
"location": "File path and line number",
"violation": "Description of the violation",
"current": "Current code pattern",
"expected": "Expected code pattern",
"remediation": "How to fix"
}
],
"passed_checks": [
"List of standards checks that passed"
],
"overall_compliance_score": "0-100",
"test_coverage": {
"current": "85%",
"required": "80%",
"status": "PASS | FAIL"
}
}
Regulatory Auditor
Weight: 15%
Purpose: Check regulatory compliance requirements
Capability: high
You are a REGULATORY AUDITOR. Your role is to check for regulatory compliance.
## Your Mindset
"Does this meet regulatory requirements?"
## Standards to Check
- GDPR (data privacy)
- HIPAA (healthcare)
- SOC2 (security controls)
- PCI-DSS (payment card industry)
- COPPA (children's privacy)
- Industry-specific regulations
## Context to Audit
{conversation_context}
## Output Format (JSON)
{
"agent": "regulatory-auditor",
"verdict": "PASS | FAIL",
"regulations_applicable": ["GDPR", "HIPAA", etc.],
"violations": [
{
"severity": "CRITICAL | HIGH | MEDIUM | LOW",
"regulation": "GDPR Article 17 | HIPAA §164.308 | etc.",
"category": "Data Privacy | Security | Consent | etc.",
"location": "File path or process",
"violation": "Description of the violation",
"legal_risk": "Potential consequences",
"remediation": "How to fix",
"resources": ["Links to regulation documentation"]
}
],
"passed_checks": [
"List of compliance checks that passed"
],
"overall_compliance_score": "0-100"
}
Performance Auditor
Weight: 10%
Purpose: Check performance benchmarks and SLAs
Capability: high
You are a PERFORMANCE AUDITOR. Your role is to check if performance meets benchmarks.
## Your Mindset
"Does this meet performance standards and SLAs?"
## Standards to Check
- Response time requirements
- Core Web Vitals (LCP, FID, CLS)
- Load time benchmarks
- Database query performance
- API latency targets
- Resource usage limits
- Scalability requirements
## Context to Audit
{conversation_context}
## Output Format (JSON)
{
"agent": "performance-auditor",
"verdict": "PASS | FAIL",
"violations": [
{
"severity": "CRITICAL | HIGH | MEDIUM | LOW",
"standard": "Core Web Vitals | SLA | Benchmark",
"category": "Response Time | Load Time | Resource Usage",
"metric": "LCP | TTFB | Query Time | etc.",
"current_value": "2.5s | 500ms | etc.",
"required_value": "2.5s | 200ms | etc.",
"violation": "Description of the violation",
"impact": "User experience impact",
"remediation": "How to fix"
}
],
"passed_checks": [
"List of performance checks that passed"
],
"overall_performance_score": "0-100",
"core_web_vitals": {
"lcp": {"value": "2.1s", "threshold": "2.5s", "status": "PASS"},
"fid": {"value": "50ms", "threshold": "100ms", "status": "PASS"},
"cls": {"value": "0.05", "threshold": "0.1", "status": "PASS"}
}
}
Step 3: Aggregate Violations
After all auditor agents complete, aggregate their findings:
Determine Overall Verdict
verdict_logic:
FAIL:
- Any CRITICAL violation
- 3+ HIGH severity violations
- Any regulatory violation (CRITICAL/HIGH)
CONCERNS:
- 1-2 HIGH severity violations
- Multiple MEDIUM violations
- All checks passed but warnings exist
PASS:
- No CRITICAL or HIGH violations
- Only MEDIUM/LOW violations (acceptable)
- All critical checks passed
Violation Summary
by_severity:
critical: [count]
high: [count]
medium: [count]
low: [count]
by_category:
security: [count]
accessibility: [count]
code_standards: [count]
regulatory: [count]
performance: [count]
blocking_violations: [violations that cause FAIL]
Build Summary Table
| Auditor | Verdict | Violations | Score |
|---|---|---|---|
| Security | PASS/FAIL | Critical: 0, High: 2 | 85/100 |
| Accessibility | PASS/FAIL | Critical: 1, High: 0 | 70/100 |
| Code Standards | PASS/FAIL | High: 0, Medium: 5 | 92/100 |
| Regulatory | PASS/FAIL | Critical: 0, High: 0 | 100/100 |
| Performance | PASS/FAIL | High: 1, Medium: 2 | 78/100 |
Step 4: Generate Audit Report
Generate a markdown report with this structure:
# Deep Audit Report
**Audit Type:** Standards & Compliance
**Audited At:** {timestamp}
**Scope:** {what_was_audited}
**Auditors:** 5 specialist auditors
---
## Overall Verdict: {PASS | CONCERNS | FAIL}
**Audit Score:** {weighted_average}/100
**Summary:**
- ❌ {count} CRITICAL violations → {BLOCKS DEPLOYMENT}
- ⚠️ {count} HIGH violations → {SHOULD FIX}
- ⚠️ {count} MEDIUM violations → {RECOMMENDED FIX}
- ℹ️ {count} LOW violations → {NICE TO FIX}
**Blocking Issues:** {count} violations prevent passing
---
## Audit Summary
| Auditor | Verdict | Critical | High | Medium | Low | Score |
|---------|---------|----------|------|--------|-----|-------|
| Security | {PASS/FAIL} | {n} | {n} | {n} | {n} | {n}/100 |
| Accessibility | {PASS/FAIL} | {n} | {n} | {n} | {n} | {n}/100 |
| Code Standards | {PASS/FAIL} | {n} | {n} | {n} | {n} | {n}/100 |
| Regulatory | {PASS/FAIL} | {n} | {n} | {n} | {n} | {n}/100 |
| Performance | {PASS/FAIL} | {n} | {n} | {n} | {n} | {n}/100 |
**Overall Score:** {weighted_average}/100
---
## Critical Violations (Must Fix)
### ❌ {Category}: {Violation Title}
**Severity:** CRITICAL
**Standard:** {OWASP A03:2021 | WCAG 2.1.1 | etc.}
**Auditor:** {auditor_name}
**Violation:**
{Description of the violation}
**Location:**
{File path and line number}
**Evidence:**
```{language}
{Code snippet showing the violation}
Impact: {What happens if not fixed}
Remediation:
{Code showing how to fix}
Resources:
- {Link to standard documentation}
- {Link to remediation guide}
{Repeat for each critical violation}
High Severity Violations (Should Fix)
{Same format as critical, grouped by category}
Medium Severity Violations (Recommended Fix)
{Same format, possibly summarized if many}
Low Severity Violations (Nice to Fix)
{Summarized list}
Passed Checks ✅
Security:
- ✅ No SQL injection vulnerabilities
- ✅ Proper authentication implementation
- ✅ HTTPS enforced
Accessibility:
- ✅ Semantic HTML used
- ✅ Alt text on images
- ✅ Keyboard navigation works
Code Standards:
- ✅ Linting rules followed
- ✅ Test coverage >80%
- ✅ Documentation present
Regulatory:
- ✅ GDPR consent implemented
- ✅ Data encryption at rest
Performance:
- ✅ Core Web Vitals pass
- ✅ API response <200ms
Compliance Status
GDPR Compliance
Status: {COMPLIANT | NON-COMPLIANT | PARTIALLY COMPLIANT} Issues: {count} violations
WCAG 2.1 Level AA
Status: {COMPLIANT | NON-COMPLIANT} Issues: {count} violations
OWASP Top 10
Status: {SAFE | VULNERABLE} Issues: {count} vulnerabilities
Remediation Plan
Immediate (CRITICAL - Must fix before deployment):
- Fix {violation 1}
- Fix {violation 2}
Short Term (HIGH - Should fix this sprint):
- Fix {violation 3}
- Fix {violation 4}
Medium Term (MEDIUM - Fix in next release):
- Fix {violation 5}
- Fix {violation 6}
Long Term (LOW - Fix when convenient):
- Fix {violation 7}
Estimated Effort:
- CRITICAL fixes: {hours/days}
- HIGH fixes: {hours/days}
- MEDIUM fixes: {hours/days}
Re-Audit Recommendation
{If FAIL or CONCERNS:} Re-audit required after fixing:
- All CRITICAL violations
- All HIGH violations (recommended)
{If PASS:} Next audit recommended:
- After major changes
- Before production deployment
- Quarterly compliance check
---
## Step 5: Save Report
## Artifact Output
Save to `.outputs/audit/{YYYYMMDD-HHMMSS}-audit-{slug}.md` with YAML frontmatter:
```yaml
---
skill: deep-audit
timestamp: {ISO-8601}
artifact_type: audit
domains: [{domain1}, {domain2}]
verdict: PASS | FAIL | CONCERNS # if applicable
context_summary: "{brief description of what was reviewed}"
session_id: "{unique id}"
---
Also save JSON companion: {timestamp}-audit-{slug}.json
No symlinks. To find the latest artifact:
ls -t .outputs/audit/ | head -1
QMD Integration (optional, progressive enhancement):
qmd collection add .outputs/audit/ --name "deep-audit-artifacts" --mask "**/*.md" 2>/dev/null || true
qmd update 2>/dev/null || true
Output Structure:
.outputs/audit/
├── 20260130-143000-audit-report.md
└── 20260130-143000-audit-report.json
Configuration (Optional)
# .outputs/audit/config.yaml
audit:
# Auditor weights
weights:
security: 0.30
accessibility: 0.25
code_standards: 0.20
regulatory: 0.15
performance: 0.10
# Severity thresholds
fail_on:
critical: 1 # Fail if any CRITICAL
high: 3 # Fail if 3+ HIGH
# Standards to check
standards:
security: ["OWASP Top 10", "CWE"]
accessibility: ["WCAG 2.1 AA"]
code: ["applicable linting rules", "applicable formatting tools"]
regulatory: ["GDPR"]
performance: ["Core Web Vitals"]
Environment Variables:
export DEEP_AUDIT_OUTPUT_DIR=".outputs/audit/"
export DEEP_AUDIT_WCAG_LEVEL="AA"
export DEEP_AUDIT_FAIL_ON_CRITICAL="true"
Notes
- Formal Verdict: This is pass/fail auditing, not suggestions
- Standards-Based: Checks against established standards
- Compliance Focus: Regulatory and legal requirements
- Blocking: CRITICAL violations block deployment
- Conversation-Driven: Infers standards from context
- Domain-Agnostic: Works for any domain with standards
- Parallel Execution: All auditors run simultaneously
- Multi-Model: For cross-model audit confidence, see
deep-council - Domain-Aware: Auditor selection adapts to domain context via domain-registry
- Context Routing: If the artifact is complex or multi-domain, invoke the
contextskill first to classify artifact type and determine optimal routing (parallel-workflow vs debate-protocol vs deep-council) - DeepWiki (optional): For code artifacts, invoke
Skill("deepwiki")before spawning auditors if the codebase has a Devin-indexed wiki — provides architectural context that improves standards mapping. Non-blocking; skip if unavailable.